aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/cyassl.c
AgeCommit message (Collapse)Author
2016-11-24proxy: Support HTTPS proxy and SOCKS+HTTP(s)Alex Rousskov
* HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-24Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.Patrick Monnerat
See CRL-01-006.
2016-11-09vtls: Fail on unrecognized param for CURLOPT_SSLVERSIONJay Satiro
- Fix GnuTLS code for CURL_SSLVERSION_TLSv1_2 that broke when the TLS 1.3 support was added in 6ad3add. - Homogenize across code for all backends the error message when TLS 1.3 is not available to "<backend>: TLS 1.3 is not yet supported". - Return an error when a user-specified ssl version is unrecognized. --- Prior to this change our code for some of the backends used the 'default' label in the switch statement (ie ver unrecognized) for ssl.version and treated it the same as CURL_SSLVERSION_DEFAULT. Bug: https://curl.haxx.se/mail/lib-2016-11/0048.html Reported-by: Kamil Dudka
2016-10-31strcasecompare: replaced remaining rawstr.h with strcase.hDan Fandrich
This is a followup to commit 811a693b
2016-10-31strcasecompare: all case insensitive string compares ignore locale nowDaniel Stenberg
We had some confusions on when each function was used. We should not act differently on different locales anyway.
2016-10-18select: switch to macros in uppercaseDaniel Stenberg
Curl_select_ready() was the former API that was replaced with Curl_select_check() a while back and the former arg setup was provided with a define (in order to leave existing code unmodified). Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most common shortcuts where only one socket is checked. They're also more visibly macros.
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-06-22vtls: Only call add/getsession if session id is enabledJay Satiro
Prior to this change we called Curl_ssl_getsessionid and Curl_ssl_addsessionid regardless of whether session ID reusing was enabled. According to comments that is in case session ID reuse was disabled but then later enabled. The old way was not intuitive and probably not something users expected. When a user disables session ID caching I'd guess they don't expect the session ID to be cached anyway in case the caching is later enabled.
2016-06-01vtls: fix ssl session cache race conditionIvan Avdeev
Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-05-09TLS: move the ALPN/NPN enable bits to the connectionDaniel Stenberg
Only protocols that actually have a protocol registered for ALPN and NPN should try to get that negotiated in the TLS handshake. That is only HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN would wrongly be used in all handshakes if libcurl was built with it enabled. Reported-by: Jay Satiro Fixes #789
2016-05-01tls: make setting pinnedkey option fail if not supportedDaniel Stenberg
to make it obvious to users trying to use the feature with TLS backends not supporting it. Discussed in #781 Reported-by: Travis Burtrum
2016-03-29wolfssl: Use ECC supported curves extensionJay Satiro
https://github.com/wolfSSL/wolfssl/issues/366
2016-03-28wolfssl: Add ALPN supportJay Satiro
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2015-12-16cyassl: deal with lack of *get_peer_certificateDaniel Stenberg
The function is only present in wolfssl/cyassl if it was built with --enable-opensslextra. With these checks added, pinning support is disabled unless the TLS lib has that function available. Also fix the mistake in configure that checks for the wrong lib name. Closes #566
2015-12-16wolfssl: handle builds without SSLv3 supportDaniel Stenberg
2015-12-15cyassl: fix compiler warning on type conversionDaniel Stenberg
2015-09-19ssl: add server cert's "sha256//" hash to verboseDaniel Hwang
Add a "pinnedpubkey" section to the "Server Certificate" verbose Bug: https://github.com/bagder/curl/issues/410 Reported-by: W. Mark Kubacki Closes #430 Closes #410
2015-07-01SSL: Pinned public key hash supportmoparisthebest
2015-04-22cyassl: Implement public key pinningJay Satiro
Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
2015-04-17cyassl: Fix include orderJay Satiro
Prior to this change CyaSSL's build options could redefine some generic build symbols. http://curl.haxx.se/mail/lib-2015-04/0069.html
2015-04-14cyassl: Add support for TLS extension SNIJay Satiro
2015-04-11cyassl: Include the CyaSSL build configJay Satiro
CyaSSL >= 2.6.0 may have an options.h that was generated during its build by configure.
2015-04-06cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer sizeJay Satiro
Also fix it so that all ERR_error_string calls use an error buffer. CyaSSL's implementation of ERR_error_string only writes the error when an error buffer is passed. http://www.yassl.com/forums/topic599-openssl-compatibility-and-errerrorstring.html
2015-04-05cyassl: Remove 'Connecting to' message from cyassl_connect_step2Jay Satiro
Prior to this change libcurl could show multiple 'CyaSSL: Connecting to' messages since cyassl_connect_step2 is called multiple times, typically. The message is superfluous even once since libcurl already informs the user elsewhere in code that it is connecting.
2015-04-03cyassl: Set minimum protocol version before CTX callbackJay Satiro
This change is to allow the user's CTX callback to change the minimum protocol version in the CTX without us later overriding it, as we did prior to this change.
2015-04-02cyassl: Fix certificate load checkJay Satiro
SSL_CTX_load_verify_locations can return negative values on fail, therefore to check for failure we check if load is != 1 (success) instead of if load is == 0 (failure), the latter being incorrect given that behavior.
2015-04-01cyassl: Fix library initialization return valueJay Satiro
(Curl_cyassl_init) - Return 1 on success, 0 in failure. Prior to this change the fail path returned an incorrect value and the evaluation to determine whether CyaSSL_Init had succeeded was incorrect. Ironically that combined with the way curl_global_init tests SSL library initialization (!Curl_ssl_init()) meant that CyaSSL having been successfully initialized would be seen as that even though the code path and return value in Curl_cyassl_init were wrong.
2015-03-28cyassl: CTX callback cosmetic changes and doc fixJay Satiro
- More descriptive fail message for NO_FILESYSTEM builds. - Cosmetic changes. - Change more of CURLOPT_SSL_CTX_* doc to not be OpenSSL specific.
2015-03-27cyassl: add SSL context callback support for CyaSSLKyle L. Huff
Adds support for CURLOPT_SSL_CTX_FUNCTION when using CyaSSL, and better handles CyaSSL instances using NO_FILESYSTEM.
2015-03-27cyassl: remove undefined reference to CyaSSL_no_filesystem_verifyKyle L. Huff
CyaSSL_no_filesystem_verify is not (or no longer) defined by cURL or CyaSSL. This reference causes build errors when compiling with NO_FILESYSTEM.
2015-03-25cyassl: default to highest possible TLS versionJay Satiro
(cyassl_connect_step1) - Use TLS 1.0-1.2 by default when available. CyaSSL/wolfSSL >= v3.3.0 supports setting a minimum protocol downgrade version. cyassl/cyassl@322f79f
2015-03-25cyassl: Check for invalid length parameter in Curl_cyassl_randomJay Satiro
2015-03-25cyassl: If wolfSSL then identify as such in version stringJay Satiro
2015-03-24curl_memory: make curl_memory.h the second-last header file loadedDan Fandrich
This header file must be included after all header files except memdebug.h, as it does similar memory function redefinitions and can be similarly affected by conflicting definitions in system or dependent library headers.
2015-03-23cyassl: include version.h to ensure the version macros are definedDan Fandrich
2015-03-20cyassl: use new library version macro when availableDan Fandrich
2015-03-17checksrc: use space after commaDaniel Stenberg
2015-03-03vtls: use curl_printf.h all overDaniel Stenberg
No need to use _MPRINTF_REPLACE internally.
2015-01-17vtls: Removed unimplemented overrides of curlssl_close_all()Steve Holme
Carrying on from commit 037cd0d991, removed the following unimplemented instances of curlssl_close_all(): Curl_axtls_close_all() Curl_darwinssl_close_all() Curl_cyassl_close_all() Curl_gskit_close_all() Curl_gtls_close_all() Curl_nss_close_all() Curl_polarssl_close_all()
2014-12-25vtls: Use bool for Curl_ssl_getsessionid() return typeSteve Holme
The return type of this function is a boolean value, and even uses a bool internally, so use bool in the function declaration as well as the variables that store the return value, to avoid any confusion.
2014-12-25cyassl: Prefer 'CURLcode result' for curl result codesSteve Holme
2014-10-24SSL: Remove SSLv3 from SSL default due to POODLE attackJay Satiro
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss, openssl effectively making the default TLS 1.x. axTLS is not affected since it supports only TLS, and gnutls is not affected since it already defaults to TLS 1.x. - Update CURLOPT_SSLVERSION doc
2014-07-31cyassl: fix the test for ASN_NO_SIGNER_EDan Fandrich
It's an enum so a macro test won't work. The CyaSSL changelog doesn't say exactly when this error code was introduced, but it's likely to be 2.7.0.
2014-07-31cyassl: use RNG_GenerateBlock to generate a good random numberDan Fandrich
2014-07-30cyassl: made it compile with version 2.0.6 againDaniel Stenberg
ASN_NO_SIGNER_E didn't exist back then!
2014-07-23cyassl.c: return the correct error code on no CA certDan Fandrich
CyaSSL 3.0.0 returns a unique error code if no CA cert is available, so translate that into CURLE_SSL_CACERT_BADFILE when peer verification is requested.
2014-04-23cyassl: Use error-ssl.h when availableDan Fandrich
Versions since at least 2.9.4 renamed error.h to error-ssl.h, so use whichever one is available.
2013-12-26vtls: Updated comments referencing sslgen.c and ssluse.cSteve Holme
2013-12-26vtls: Fixed up include of vtls.hSteve Holme